rule Windows_Trojan_CaesarKbd_32bb198b {
    meta:
        author = "Elastic Security"
        id = "32bb198b-ec03-4628-8e9b-bc36c2525ec7"
        fingerprint = "54ed92761bb619ae4dcec9c27127d6c2a74a575916249cd5db24b8deb2ee0588"
        creation_date = "2022-04-04"
        last_modified = "2022-06-09"
        threat_name = "Windows.Trojan.CaesarKbd"
        reference_sample = "d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8"
        severity = 100
        arch_context = "x86"
        scan_context = "file"
        license = "Elastic License v2"
        os = "windows"
    strings:
        $str1 = "CaesarKbd_IOCtrl"
    condition:
        int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1
}

